Issue metadata
Sign in to add a comment
|
Regression: Browser crashes on closing tab when print preview and Chromevox are enabled |
||||||||||||||||||||||||
Issue descriptionVersion: 53.0.2754.0/8405.0.0 (Official Build) dev-channel parrot,peach-pit,Jerry OS: Chrome os What steps will reproduce the problem? (1) Sign in to user >> Enable Chromevox from Accessibility section of chrome://settings (2) Open any tab >> Hit Ctrl+p for print preview >> Now try closing the tab and observe. Expected: No crash should be seen on closing window when print is enabled. Actual: Instead browser crashes. Crash id: Crash ID 1bfedd5a00000000 (Chrome) This is a regression issue as it is working fine in 50.0.2661.103/7978.74.0 stable channel daisy. @dtseng: Please confirm the issue.
,
Jun 3 2016
Issue is also seen in Linux and Windows with 53.0.2757.0 dev. Good build: 53.0.2747.0 dev Bad Build: 53.0.2750.0 dev CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/6a10b0b61c3d8ea20b36bcafddb8717bca83ed79..58ba9cdfec511787f1b00dc2e9e3036a9a854248 Suspecting https://codereview.chromium.org/2008773002 from changelog.
,
Jun 3 2016
Able to reproduce the issue on Pit using chrome version 53.0.2754.0/8405.0.0 stack trace ========================= Thread 0 CRASHED [SIGSEGV @ 0x00000000 ] MAGIC SIGNATURE THREAD 0x00007f795bddcb28 (chrome -native_view_host.cc:217 ) views::NativeViewHost::ClearFocus 0x00007f795b3d7ff8 (chrome -basic_string.h:301 ) CreatePrintPreviewUISource 0x00007f795b3d68e2 (chrome -stl_algo.h:2004 ) options::CertificateManagerHandler::PopulateTree 0x00007f795b3d6e42 (chrome + 0x0349ae42 ) non-virtual thunk to PrintPreviewDistiller::WebContentsDelegateImpl::~WebContentsDelegateImpl() 0x00007f795b3d6e42 (chrome + 0x0349ae42 ) non-virtual thunk to PrintPreviewDistiller::WebContentsDelegateImpl::~WebContentsDelegateImpl() 0x00007f795b3d74a3 (chrome -web_contents_user_data.h:46 ) PrintPreviewDistiller::CreateDestinationWebContents 0x00007f795b3d76ba (chrome -callback.h:354 ) PrintPreviewDistiller::PrintPreviewDistiller 0x00007f795b3d7a91 (chrome -basic_string.h:547 ) CreatePrintPreviewUISource 0x00007f795bdc91c3 (chrome -widget.cc:1060 ) views::Widget::OnNativeWidgetCreated 0x00007f795b7ece18 (chrome -web_ui_data_source_impl.cc:255 ) content::WebUIDataSourceImpl::SendLocalizedStringsAsJSON 0x00007f795b7ed010 (chrome -web_ui_data_source_impl.cc:110 ) content::WebUIDataSourceImpl::AddLocalizedString 0x00007f795b43275f (chrome -history_login_handler.cc:25 ) HistoryLoginHandler::RegisterMessages 0x00007f795b39bcb2 (chrome -callback.h:397 ) ImeWarningBubbleView::~ImeWarningBubbleView 0x00007f795b39baa7 (chrome -ime_warning_bubble_view.cc:68 ) ImeWarningBubbleView::Cancel 0x00007f795b39bb90 (chrome -ime_warning_bubble_view.cc:61 ) ImeWarningBubbleView::Accept 0x00007f795bdcb828 (chrome -widget.h:684 ) views::CustomFrameView::GetMaximumSize 0x00007f795bdd5fe9 (chrome -tooltip_controller.cc:174 ) views::corewm::TooltipController::UpdateTooltip 0x00007f795bdcb828 (chrome -widget.h:684 ) views::CustomFrameView::GetMaximumSize 0x00007f795bdda5ee (chrome -window_reorderer.cc:169 ) views::WindowReorderer::ReorderChildWindows 0x00007f795bdda670 (chrome -window_reorderer.cc:185 ) views::WindowReorderer::ReorderChildWindows 0x00007f795bdcb634 (chrome -client_view.h:33 ) views::ClientView::~ClientView 0x00007f795bdcb734 (chrome -custom_frame_view.cc:126 ) views::CustomFrameView::GetBoundsForClientView 0x00007f795bdcf3a8 (chrome -frame_background.cc:172 ) views::FrameBackground::PaintFrameColor 0x00007f795bdcf490 (chrome -frame_background.cc:78 ) views::FrameBackground::PaintRestored 0x00007f795bdd40df (chrome + 0x03e980df ) 0x00007f795bdd4210 (chrome -menu_controller.h:118 ) views::MenuKeyEventHandler::OnKeyEvent 0x00007f795bde3426 (chrome -paint_vector_icon.cc:79 ) PaintPath 0x00007f795bde3550 (chrome -paint_vector_icon.cc:90 ) PaintPath 0x00007f795b233c95 (chrome -layer.cc:808 ) ui::Layer::TakeDebugInfo 0x00007f795b233f70 (chrome -trace_event.h:977 ) ui::Layer::PaintContentsToDisplayList 0x00007f7958bd2fad (chrome -stl_deque.h:602 ) std::_Deque_base<Utterance*, std::allocator<Utterance*> >::_M_initialize_map 0x00007f7958bed8ac (chrome -trace_event.h:985 ) base::debug::TaskAnnotator::RunTask 0x00007f7958bdcf1e (chrome -pending_task.h:20 ) base::MessageLoop::DoWork 0x00007f7958bd8252 (chrome -message_pump_libevent.cc:250 ) base::MessagePumpLibevent::Run 0x00007f7959471dd7 (chrome -basic_string.h:324 ) std::basic_string<short unsigned int, base::string16_char_traits, std::allocator<short unsigned int> >::basic_string 0x00007f795cbad4a4 (chrome -ref_counted.h:407 ) SuggestionsSource::StartDataRequest 0x00007f795b87a69a (chrome -ref_counted.h:299 ) content::CacheStorageContextImpl::Init 0x00007f795b6b84d4 (chrome -basic_string.h:2590 ) content::DevToolsAgentHostImpl::DevToolsAgentHostImpl 0x00007f795b6b83b2 (chrome -devtools_agent_host_impl.cc:194 ) content::DevToolsAgentHost::DetachAllClients 0x00007f795941e520 (chrome -pdfium_engine.cc:3581 ) chrome_pdf::PDFiumEngine::Form_Mail 0x00007f795941d0ba (chrome -content_main_runner.cc:341 ) content::RunZygote 0x00007f79590b839e (chrome -basic_string.h:2540 ) AdjustLinuxOOMScore 0x00007f7956563fd5 (libc-2.19.so -libc-start.c:292 ) __libc_start_main 0x00007f79590b8200 (chrome -chrome_main_delegate.cc:369 ) ChromeMainDelegate::PreSandboxStartup
,
Jun 3 2016
Users experienced this crash on the following builds: Win Canary 53.0.2757.0 - 1.12 CPM, 6 reports, 2 clients (signature views::AXWidgetObjWrapper::Serialize) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jun 3 2016
Users experienced this crash on the following builds: Win Canary 53.0.2757.0 - 1.12 CPM, 6 reports, 2 clients (signature views::AXWidgetObjWrapper::Serialize) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jun 6 2016
Users experienced this crash on the following builds: Win Canary 53.0.2760.0 - 0.26 CPM, 2 reports, 1 clients (signature views::AXWidgetObjWrapper::Serialize) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jun 7 2016
Just FYI, Issue is still seen in 53.0.2761.2 dev channel ,Ubuntu 14.04.
,
Jun 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0ede80c428189d30bb398e351d16217464bd9294 commit 0ede80c428189d30bb398e351d16217464bd9294 Author: dtseng <dtseng@chromium.org> Date: Tue Jun 07 22:49:20 2016 Fix crash when closing a window with an associated widget child This is a similar issue to https://codereview.chromium.org/1644863003/ When closing some windows, the following occurs: - WebContentsImpl enters its destructor - a widget fires OnWidgetDestroying - an AXWidgetObjWrapper gets destroyed - WebContentsImpl fires an ax event - the ax serializer walks the aura window and gets the widget "child" of the aura window - a new AXWidgetObjWrapper gets created - the widget's OnWidgetDestroying finishes and widget is destroyed - WebContentsImpl exits its destructor - the AXWidgetObjWrapper instance is now wrapping a deallocated widget - future access to the AXWidgetObjWrapper causes a uaf. BUG= 617020 Review-Url: https://codereview.chromium.org/2044123003 Cr-Commit-Position: refs/heads/master@{#398407} [modify] https://crrev.com/0ede80c428189d30bb398e351d16217464bd9294/ui/views/accessibility/ax_window_obj_wrapper.cc
,
Jun 9 2016
Works fine on Windows-7, Linux Ubuntu 14.04 chrome version: 53.0.2763.0. Hence adding the verified label.
,
Jun 9 2016
,
Jun 18 2016
verified on 53.0.2768.0 |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sc00335...@techmahindra.com
, Jun 3 2016